two questions about migration from FR 2.X to 3.X

Alan DeKok aland at deployingradius.com
Fri Nov 3 11:49:11 CET 2017


On Nov 3, 2017, at 6:39 AM, Anton Kiryushkin <swood at fotofor.biz> wrote:
> 
> I have two question about migration from oldest to newest version.
> 1. After migration, the process authorization by MSCHAP-V2 wrote that can't
> make NT-password:

  The error is saying "No Cleartext-Password".  i.e. you didn't tell the server what the users "known good" password is.

> This happened in inner-tunnel site with config:

  What does the *rest* of the debug output say?  Reading that will tell you what's happening.

> But I have the same config on FR 2.X in it worked. Could tell me why?

  Read the debug output.

> The second question with another client. I've got the next error message:
> 
> Thu Nov  2 21:44:19 2017 : ERROR: (159) eap_peap: Failed in __FUNCTION__
> (SSL_read): s3_srvr.c[1240]:error:1408A0E3:SSL
> routines:ssl3_get_client_hello:parse tlsext
> Thu Nov  2 21:44:19 2017 : ERROR: (159) eap_peap: System call (I/O) error
> (-1)

  Weird.  It looks like that "tlsext" field is malformed.

> Thu Nov  2 21:44:19 2017 : ERROR: (159) eap_peap: TLS receive handshake
> failed during operation
> Thu Nov  2 21:44:19 2017 : ERROR: (159) eap_peap: [eaptls process] = fail
> Thu Nov  2 21:44:19 2017 : ERROR: (159) eap: Failed continuing EAP PEAP
> (25) session.  EAP sub-module failed
> 
> This is printer Canon 5240i and I can't change his software. As well as in
> the previous question, all work with FR 2.X.

  Let me guess: you also changed operating systems, and OpenSSL versions at the same time.

  Older OpenSSL versions were more forgiving of bad data.  Newer OpenSSL versions are more strict.

  This is (unfortunately) an OpenSSL thing.  Nothing in FreeRADIUS will cause that error.

  The short answer is that the client is broken.  It doesn't implement PEAP / SSL correctly.

  Alan DeKok.




More information about the Freeradius-Users mailing list